System Maintenance in AWS OpsWorks for Chef Automate

Mandatory system maintenance ensures that the latest minor versions of Chef Server
and Chef
Automate Server, including security updates, are always running on an AWS OpsWorks
for Chef Automate server. System
maintenance is required a minimum of once a week. By using the AWS CLI, you can configure
daily
automatic maintenance, if desired. You can also use the AWS CLI to perform system
maintenance on
demand, in addition to scheduled system maintenance.

When new minor versions of Chef software become available, system maintenance is designed
to update the minor version of Chef Automate and Chef Server on the server automatically,
as
soon as it passes AWS testing. AWS performs extensive testing to verify that Chef
upgrades are
production-ready and do not disrupt existing customer environments, so there can be
lags
between Chef software releases and their availability for application to existing
OpsWorks for
Chef Automate servers. To update available minor versions of Chef software on demand,
see
Starting system maintenance on
demand in this topic.

System maintenance launches a new instance from a backup that is performed as part
of the
maintenance process, which helps reduce risk from degraded or impaired Amazon EC2
instances that
undergo periodic maintenance.

Ensuring nodes trust the AWS OpsWorks Certification Authority

Nodes that you are managing with an AWS OpsWorks for Chef Automate server must authenticate
with the server by
using certificates. During system maintenance, AWS OpsWorks replaces the server instance,
and
regenerates new certificates through the AWS OpsWorks certificate authority (CA).
To restore
communication automatically with your managed nodes after maintenance is finished,
nodes
should trust the AWS OpsWorks CA that ships with the starter kit, and is hosted in
the three
regions that are supported by AWS OpsWorks for Chef Automate: US West (Oregon) Region,
US East (N. Virginia) Region, and EU (Ireland) Region.
When you use the AWS OpsWorks CA to establish the trust between nodes and server,
nodes reconnect
to the new server instance after maintenance. If you are adding EC2 nodes by using
the EC2
userdata script described in Adding Nodes Automatically in AWS OpsWorks for Chef Automate, nodes are already configured to trust the AWS OpsWorks
CA.

For Linux-based nodes, the S3 bucket location of the CA is
https://opsworks-cm-${REGION}-prod-default-assets.s3.amazonaws.com/misc/opsworks-cm-ca-2016-root.pem,
where ${REGION} can be us-west-2,
us-east-1, or eu-west-1. The AWS OpsWorks trusted CA must be
stored in the path
/etc/chef/opsworks-cm-ca-2016-root.pem.

For Windows-based nodes, the S3 bucket location of the CA is
https://opsworks-cm-$env:AWS_REGION-prod-default-assets.s3.amazonaws.com/misc/opsworks-cm-ca-2016-root.pem,
where $env:AWS_REGION can be us-west-2,
us-east-1, or eu-west-1. The AWS OpsWorks CA must be stored in
the root Chef folder; for example,
C:\chef\opsworks-cm-ca-2016-root.pem

Configuring system maintenance

When you create a new AWS OpsWorks for Chef Automate server, you can configure a weekday
and time, in Coordinated Universal
Time (UTC), for system maintenance to start. Maintenance starts during the hour
that you specify. Because you should expect the server to be offline during system
maintenance, choose a time of low server demand within regular office hours. The server
status is UNDER_MAINTENANCE while maintenance is in progress.

You can also change the system maintenance settings on an existing AWS OpsWorks for
Chef Automate server, by
changing settings in the System maintenance area of the
Settings page for your server, as shown in the following
screenshot.

In the System maintenance section, set the day and hour that you
want system maintenance to begin.

Configuring system maintenance by using the AWS CLI

You can also configure the system maintenance automatic start time by using the
AWS CLI. The AWS CLI lets you configure daily automatic maintenance, if desired, by
omitting
the three-character weekday prefix.

In a create-server command, add the
--preferred-maintenance-window parameter to your command, after
specifying the requirements for creating the server instance (such as instance type,
instance profile ARN, and service role ARN). In the following create-server
example, --preferred-maintenance-window is set to Mon:08:00,
meaning that you've set maintenance to start every Monday morning at 8:00 a.m.
UTC.

For more information about setting the preferred system maintenance window by using
the AWS CLI, see create-server and update-server.

Starting system maintenance on
demand

To start system maintenance on demand, outside of your configured weekly or daily
automatic maintenance, run the following AWS CLI command. You cannot start on-demand
maintenance in the AWS Management Console.

Restoring custom configurations and files after maintenance

System maintenance can delete or change custom files or configurations that you have
added to your AWS OpsWorks for Chef Automate server.

If, after a maintenance run, your Chef server is missing files or settings that you
added by using RunCommand or SSH, you can use an Amazon Machine Image (AMI) to
launch a new Amazon EC2 instance. AMIs are available that are built from a server's
pre-maintenance configuration.

The new instance is in the same state that the Chef server was before maintenance,
and
should include your missing files and settings.

Important

You cannot use the new instance to restore your server; the instance cannot be run
as
a Chef server. You can use the instance only to recover your files and configuration
settings.

To launch an EC2 instance from an AMI, in the Amazon EC2 console, open the
Launch wizard, choose My AMIs, and then choose
the AMI that has your server name. Follow Amazon EC2 wizard steps as you would for
any other
instance launch.